Federation 2.0: An identity ecosystem

Standards are maturing just in time for identity federations to meet the new demands for cloud and mobile access, reports Deb Radcliff.

For years, the notion of federating identities into a single secure identity “ecosystem” to work across multiple applications and entities seemed to gain little traction. That is, until recently, when cloud computing and mobility started placing new demands on access that only a federation could solve.

The reality is, identity federations of hundreds of thousands to millions of business-to-business (b2b) entities are flourishing in the automotive, aerospace, pharmaceutical, government and other sectors. Now, vendors, service providers and enterprises are adopting standards to support single sign-on (SSO) authentication for cloud and mobile access. Meanwhile, Facebook, Google and other social networking giants are poised to become one-stop identity providers for the masses.

“Federation is alive, well and thriving,” says Mark Diodati, research vice president at Gartner. “Most organizations are using federation internally, to connect to partners and to connect disparate security and access systems during mergers and acquisitions. Now, federated identity is about SSO and provisioning to resources in the cloud.”

That is not to say that federation is going to be a walk in the park. Standards – responsible for growing adoption of identity federations – are numerous and confusing, experts say. Yet, to comprehensively prepare for federation, enterprises, cloud service providers, as well as identity services and access management vendors, will all have to consider multiple standards based on their – and their users’ – access models.

Another issue is vetting the identities, which brings into question legal issues around privacy, liability and allocation of risk, says Jeremy Grant, program director of the National Strategy for Trusted Identities in Cyberspace (NSTIC), a public-private sector initiative that debuted in April. The agency is charged with creating a trusted, online ecosystem that would designate a single credential to users as a one-time digital password – e.g., software for mobile devices, a smart card or token – to foster secure transactions on the internet.

“There are very large federations out there specific to sectors within the government and in vertical industries,” Grant says, pointing to SAFE BioPharma (a standard used by organizations to verify and manage digital identities), CertiPath (which manages a huge identity federation for the aerospace industry), and InCommon Federation (which supports more than 200 research universities). “The issue is getting identity federation to the next level, which requires a new wave of authentication technologies and rules to govern them that can work in a highly mobile, portable world where smart cards and tokens may not always be the answer.”

For example, he cites phone authentication, which can be used as a third factor for one-time tokens via text message. In addition, the phone itself can be used as the additional factor.

Enterprise federations

These, and multiple other SSO and authentication technologies, are enabled by federation, say experts. However, depending on their use, federated networks come in many different flavors, all of which are impacted by what analysts call an alphabet soup of standards.

Confusion over these standards have, so far, held up widespread adoption of federation, says Eve Maler, principal analyst with Forrester Research.

She estimates that large-enterprise adoption of federation for business process outsourcing, such as access to human resources web apps, is higher, although there is no formal data available. She adds that adoption will really take off now that the Security Assertion Markup Language, or SAML, became a standard once Microsoft adopted it for its Active Directory Federation Services (AD FS) 2.0, released in mid-2010.

“All vendors, services and enterprises need to get onboard with SAML if they want to federate identities,” says André Gold (left), senior director of technology operations and IT security at AutoTrader.com, a subsidiary of Cox Enterprises.

AutoTrader, which recently completed the acquisition of VinSolutions, a provider of end-to-end solution platforms for auto dealers, has been developing SSO provisioning internally based on SAML and other standards, and is now providing SSO to some of its customers.

“Federation has become a key component of our mergers and acquisitions strategy,” Gold says. “It will enable us to on-board new companies and, ultimately, new customers and consumers too, in a quicker and more cost-effective manner. More importantly, we will be able to provide a richer experience to these groups as they interact with different applications and products across the AutoTrader.com portfolio.”

While Gold has worked for organizations that have been able to build their own hooks based on SAML APIs, a growing number of organizations are turning to vendor products or identity service providers to federate their whole identity infrastructures, say analysts.

“Managing your identities, your PKI certificates, assertions and authentication is complicated in this ever-changing identity federation landscape,” says Dave Miller (right), CSO of Covisint, which supports nine million users of OnStar, linking vehicle drivers with remote services. “This is why analysts see a growing service industry around identities: These services handle the hard work of standardization and identity management for them.”

American Hospital Association (AHA), based in Chicago, is one company that turned to an identity service from Symplified after federating the first five of 16 widely used software-as-a-service (SaaS) applications for the cloud. Some of the service applications they are federating include social intranet and collaboration provider Socialtext, document management and collaboration provider Box.net, IT self-service management provider Numara FootPrints, and HR payroll/time entry service UlitPro.

“In one example, we had our own custom SAML adoption for one of our performance management tools, but that tool vendor kept changing the way its login works around the exchanging of public and private encryption keys, and our links kept getting broken,” says Karthik Chakkarapani, the AHA’s IT director of technology solutions & operations. “We didn’t want to do this with 16 applications. And we didn’t want to write our own code to enable the single sign-on to all these applications either.”

Federating to mobility

Synovus Bank, with 30 banks on the East Coast, didn’t want to manage the identities of its approximately 100,000 commercial and 200,000 home-based customers. It also wanted its identity management to occur outside its firewall. So Synovus recently started using Crosscheck Network’s Forum Sentry XML Gateway service between these users and their applications.

“Users and their sessions authenticate on the Forum structure, their SAML assertions are signed by Forum, and Forum also issues their secure tokens,” says Santosh Kokate, lead technical analyst with Synovus. “The beauty is I have online banking sitting safely behind the identity gateway and the identities and authentication are established there. I don’t have to manage those identities or write a single line of code to make federation happen.”

Synovus also supports authentication for mobile users through REST (Representational State Transfer), which supports HTTPS-based assertions for what Kokate estimates are 8,000 mobile banking customers at this point (and more planned in the future). Because Synovus’ intermediary, Crosscheck, supports these and other standards, Synovus can adapt to different types of identity federation requirements as needed.

In “Architecting a Cloud-Scale Identity Fabric,” a report to IEEE, the world’s largest professional association dedicated to advancing technological innovation, Eric Olden, the ounder, CEO and chairman of Symplified, discussed two additional standards needed to extend SAML for more granular provisioning (through Service Provisioning Markup Language or SPML), and user authorization and access management (through Extensible Access Control Markup Language or XACML).

“Here’s a news flash for you: Federated Identity 1.0 is dead,” Olden says during a follow-up interview with SC Magazine. “Long live Federated 2.0 to support SSO, multifactor authentication and identity management in an increasingly mobile user base – all essentially accessing through the cloud.”

There are even more standards supporting federation at the 2.0 level, say experts. Specifically is Open Authentication (OAuth) 2.0, which is flexible, lightweight and can be used when SAML is not available by taking assertions over HTTPS. As such, OAuth, along with OpenID, another standard, facilitates access by mobile devices through unique forms of authentication, such as using SMS to issue secondary authentication tokens, or using the phone itself as an identifier.

To make access painless for its nearly six million end-users and 60,000 businesses, the cloud content management platform at Box, a Palo Alto, Calif.-based online content management and file storage business, needs to enable sharing and collaboration from anywhere on any device, while also providing the security, visibility and reporting capabilities required by IT departments. The only way to meet those needs is to support all popular federation standards, says Tomas Barreto, engineering manager at Box.

“Our customers are going to need SSO for all of their applications internally, and for all their clouds – not just our Box cloud,” Barreto says. “To enable SSO use with multiple clouds, we need to support multiple standards, including legacy SSO standards, current SAML standards and new standards as required.”

Federating to the consumer

In consumer-to-business federation networks, such sites as Facebook, Google and other popular social networks are embracing OpenID and other lighter, more open standards so they can become the identity service providers for their own consumers – and all their non-sensitive online applications, Forrester’s Maler says.

Logging in at Facebook, then, would allow users a single click-through to their other applications, so long as those application providers are participating in the federated network and interoperate with the appropriate standards.While some organizations feel uneasy about using a Facebook or Google account as the primary login for their customers, employees and partners, others are accepting this as the way of the future. For example, the AHA’s Chakkarapani says many of his mobile, part-time and younger workforce want to leverage social networking for conducting all forms of business.

“We need to be able to support all types of access in order to achieve the 100 percent adoption of our system that we’ve achieved,” Chakkarapani says. “Many of our young people will only work in these type of collaborative environments.”

On the other hand, AutoTrader’s Gold says he worries about the risk of using social networks as the primary identification service for employee, partner and, ultimately, consumer access. For example, in May, 100,000 Facebook applications enabled the leakage of millions of access tokens to third parties, and there are myriad examples of social networking consumers being phished of their credentials or letting in malware that gets in the middle of properly authenticated communications.

This is why vetting the identity provider is important for organizations considering outsourcing their identity management, says NSTIC’s Grant.

“Vendors and service providers are picking up the basics of identity now, doing provisioning and directory services management,” says Grant, whose program has been slotted to receive $18 million to support identity pilot programs in 2012. “But the tools for governance and compliance aren’t there yet.”

At the end of the day, it doesn’t matter what the standard is, just as long as the identity ecosystem is working for businesses and consumers, says Patrick Harding, CTO of Ping Identity, an identity security firm. “A CTO doesn’t care what standards are involved or if it is federated or not,” he says. “CTO’s don’t want lots of passwords everywhere, and they want to seamlessly access all of their applications regardless of where they’re accessing from or where their applications are hosted.”

{sidebar]

LEGALITIES: What is required?

The American Bar Association’s Identity Management Legal Task Force is trying to sort out legal and privacy issues surrounding identity attributes and trust. In January, after a series of regional and national meetings, the ABA released version two of its Trust Framework for federated identity networks. The framework describes operational and legal requirements for building trust into these systems, including the use of specifications, standards and rules of operation and enforcement.